Elastic Search - itlc.it.wisc.edu · Elastic Search Gain Insight Into Your Enterprise. About us...
Transcript of Elastic Search - itlc.it.wisc.edu · Elastic Search Gain Insight Into Your Enterprise. About us...
Elastic Search
Gain Insight Into Your Enterprise
About us
University of Wisconsin – Milwaukee
University IT Services
• Chris Spadanuda – Associate Director Enterprise Services
• Ben Seefeldt – Lead Administrator IT Architecture and Infrastructure
• John Goodman – Manager, Identity and Access Management
About UWM Enterprise Services
• Identity and Access Management
• Systems Support
• Business Applications
UW Digital ID
UWM ePantherID
Enterprise Services - Goals
• Manage demand (MFA, Unified Communications, Storage, etc.)
• Modernize IAM infrastructure
• Update and refresh Data Center infrastructure
• Transition to cloud services – AWS, Azure
• Continue to increase compliance and security
More data = More insight = More action• Early efforts
– Syslog Server, Splunk, AD Audit
• Information we wanted and problems to solve– Patch levels– Phishing mitigation– Identity login locations– Service performance– What applications and users are using our services– Service dependencies– Service utilization– Audit response and security (long term and short term)
The Elastic Stack
Logstash
• Inputs
• Filters
• Outputs
Elasticsearch
• Indices
• Index templates
Ingestion
• Pipelines
• Data enrichment
Kibana
• Fields
• Index Patterns
Architecture
Architecture
Fields
• Timestamp
• Agent
• Client IP
• Geolocation
• Server IP
• Http_status
• Request uri
Data Types
• String
• Numeric
• Date
• Boolean
• Binary
• Array
• Objects
Aggregations
• Building blocks towards more complex data summaries
• Buckets: Match relevant data based on defined criteria
• Metric: Track and compute information from a set of documents
Visualizations
• Based upon queries
• Dashboards
• Bar graphs
• Pie charts
• Tables
• Coordinate maps
Identifying Data Sources
• Authentication attempts (Success / Failure)
• Load balancer performance
• Webpage load times
• Error status
• Sourcing service usage
• Identify client software connections (OS / Browser type)
Putting Data Into Action
• Office 365 authentication attempts
• Geolocation of authentication attempts
• Correlating similar authentication attempts
• Identifying user impact
Compromised Accounts
Compromised Accounts
Compromised Accounts
Compromised Accounts
Demo